[BreachExchange] Cybersecurity Vulnerabilities—Why Bad Actors Target HR Departments

[Audrey McNeil]

https://hrdailyadvisor.blr.com/2018/06/21/cybersecurity-
vulnerabilities-bad-actors-target-hr-departments/

Your organization’s C-suite isn’t the only target at risk of cyberattacks.
Cybercriminals frequently target human resources (HR) departments with the
goal of collecting financial and personally identifiable information (PII).
HR departments not only are more likely to have cybersecurity
vulnerabilities but also are the keepers of a great deal of personal and
confidential information.

A Quick Look at HR-Related Attacks

HR departments need to be aware that they may be the target of cyberattacks
and have to be proactive about their cybersecurity.

In the past few years, there have been a number of high-profile,
HR-targeted attacks. Organizations have found themselves crippled by
ransomware, while thousands of employees have discovered that their
employer has unwittingly disclosed their personal information, leading to
identity theft and financial abuse.

In 2017, the GoldenEye Ransomware Attack targeted HR departments with fake
job applications. HR departments are used to collecting large volumes of
e-mail attachments, often in the form of a PDF. GoldenEye included a
malicious Excel file, which did not appear to be suspicious to many HR
representatives. The result was infection with ransomware: GoldenEye would
encrypt a computer’s disk and request payment of up to $1,000 to unlock
files.

Where GoldenEye focused on ransomware, other attacks have focused on
collecting information. In 2016, the Internal Revenue Service (IRS) sent
out a notice warning HR departments of phishing schemes that were designed
to collect personal information from employees. Phishing e-mails appeared
to be from company executives and requested items such as copies of
employee W2s. Many HR managers would simply forward these documents,
leading to wide-scale breaches of Social Security numbers, dates of birth,
and addresses that could be used for identity theft.

In 2014, bad actors began to target HR departments with Gameover ZeuS
Malware. Gameover ZeuS was a malicious program that was designed
specifically to capture banking data. HR became a target for social
engineering, as hackers were able to look at sites such as Monster and
CareerBuilder to identify spear-phishing targets. From there, the criminals
were able to install the ZeuS Trojan that was able to capture information
from website forms, implant fake employees, and target HR-related bank
accounts.

These three attacks are very different, with their objectives ranging from
ransoms to capturing employee data to stealing the financial data of the
organization directly. The only common element of these attacks is that
they target cybersecurity vulnerabilities in HR departments.

But why are bad actors so interested in HR?

Why Target HR’s Cybersecurity Vulnerabilities?

HR departments are the gatekeepers of a significant amount of personal
data. W2s, 1099s, and other employee records can all contain not only PII
but also financial information. Any company that maintains direct deposit
for payroll, for instance, will have financial information readily
available. Bad actors target HR departments simply because it is the most
expedient way to collect the data that they need.

However, this isn’t the only reason why HR is targeted. As GoldenEye
showed, HR is considered to be a weak point within many organizations from
a security perspective. HR departments are designed and predisposed to
collect outside information—to continue their hiring processes, they need
to accept and open files from strangers outside of the network. Many HR
managers are accustomed to opening strange documents and may often see
files in unusual formats from applicants who choose nonstandard file types
to submit their résumé or portfolio of work.

Additionally, HR departments aren’t prime candidates for the best
technologies. HR is more likely to be using older applications designed
specifically for HR purposes, which may not have been updated with current
antivirus programs or definitions. In addition, HR managers and team
members aren’t always the most knowledgeable about cybersecurity best
practices. HR managers may not be able to identify common phishing attempts
and may not be up to date on current attack trends.

What HR Departments can Do about Cyberattacks

While training is always important, technology is a better way to defend
against these types of cyberattacks. HR departments need to be able to
interact with the outside world, and many of them may not have a
cybersecurity background.

Information security training likely will not prevent an HR professional
from clicking on an innocent-looking e-mail with the subject line of “my
résumé.” The system itself needs to be able to protect the company from the
risk of an HR representative clicking on the wrong link. With as many files
as HR departments generally receive, it is not realistic to expect the
employees to catch every malicious attack.

To start, departments can route application traffic through a single
workstation, isolating this station from the network and, therefore,
minimizing risk. If a malicious program like GoldenEye gets on such a
device, nothing of value will be lost; the encrypted machine can simply be
reset. As it simply isn’t possible for most HR departments to stop
accepting files, they need to be able to do it in the most convenient and
lowest-risk fashion. Isolating HR computers from the network as a whole can
prevent the propagation of malware.

When malicious programs do get into the HR department’s machines, or when
routing all traffic to a single system isn’t possible, advanced malware
detection technology can identify and mitigate malware-based threats before
any real damage is done. Many of the newer cyberattacks are developed so
that they cannot be identified through traditional means.

Antivirus programs cannot use signatures (static analysis) to identify
these attacks because the criminals automatically modify their code so
signatures immediately become outdated. Instead, advanced malware detection
programs use dynamic analysis to identify the behaviors engineered into
malware programs that are being submitted as attachments to HR. These
technologies can tell when an application, attachment, or webpage is acting
in a malicious fashion, regardless of the file type being used, and can
quarantine the item.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180622/a54d3fc9/attachment.html>